Manuel d'utilisation / d'entretien du produit none du fabricant Net Optics
Aller à la page of 57
User Guide "Smart Filtering" Appliance Doc. PUBDIRU Rev . 2, 9/08 ww w.netoptics.com 1 2 B A A B IDS Analyzer 2 Analyzer 1 RMON 1 RMON 2 Forensic *** Condential - DO NOT Distribute ***.
PLEASE READ THESE LEGAL NOTICES CAREFULL Y . By using a Net Optics Director device you agree to the terms and conditions of usage set forth by Net Optics, Inc. No licenses, express or implied, are granted with respect to any of the technology described in this manual.
Director *** Condential - DO NOT Distribute *** Contents Chapter 1 Introduction .............................................................................................. 1 Key Features ..........................................................
Director *** Condential - DO NOT Distribute *** Create Complex Filters ................................................................... 29 V iew lters ............................................................................ 3 0 W ork with congurable 10 Gigabit ports .
1 *** Condential - DO NOT Distribute *** Director Chapter 1 Intr oduction Net Optics Director is a key component for building a comprehensive, consolidated monitoring infrastructure for both network management and security .
2 *** Condential - DO NOT Distribute *** Director K ey Fea tur es Ease of Use T ap, aggregation, regeneration, matrix switch, and lter functions in a single device • 19-inch rack frame, 1U hig.
3 *** Condential - DO NOT Distribute *** Director About this Guide Please read this entire guide before installing Director . This guide applies to the following part numbers: Chassis Part Number D.
4 *** Condential - DO NOT Distribute *** Director Director Ar chitecture The fo llowing diag ram shows a schematic v iew of the architecture of the Dir ector device shown as a Matri x Switch wit h ltering. The black dots indicate aggregating Matrix Switch connections between Network Ports and Monitor Ports.
5 *** Condential - DO NOT Distribute *** Director The input s are divide d int o t hree g roups: two D NMs p lus th e 10Gb E port s. In -li ne DNM model s supp ort 6 in-li ne lin ks, whi le Spa n DNM models supp ort 12 Sp an por ts. The d iag ram sh ows on e in-l ine an d one Span DNM.
6 *** Condential - DO NOT Distribute *** Director Typical Application The following diagram shows a typical application using Director to implement a comprehensive, consolidated monitoring infrastructure.
7 *** Condential - DO NOT Distribute *** Director In this installation, Director has ten additional Span ports and one in-line link that are available for expansion, when more links need to be monitored. Monitoring T ools St ill re fer ri ng to Fig ure 2, si x m on it ori ng too ls a re con nec te d to Dir ect or .
8 *** Condential - DO NOT Distribute *** Director In-line Monitoring of 10 Gigabit Links T o create an in-line link on a 10 Gigabit network segment, use and external iBypass Switch or network T ap. These two methods are explained in the following sections.
9 *** Condential - DO NOT Distribute *** Director Director Front Panel The features of the Director front panel are shown in the following diagram. www.
10 *** Condential - DO NOT Distribute *** Director Director Rear P anel The features of the Director rear panel are shown in the following diagram. Management Port RS232 INPUT OUTPUT SERIAL NUMBER .
11 *** Condential - DO NOT Distribute *** Director Chapter 2 Installing Dir ector This chapter describes how to install and connect Director devices. The procedure for installing Director follows these basic steps: Plan the installation 1. Unpack and inspect the Director device 2.
12 *** Condential - DO NOT Distribute *** Director Plan the Installation Before you begin the installation of your Director device, determine the following: Name that will identify the Director dev.
13 *** Condential - DO NOT Distribute *** Director Install Director Networ k Modules If the Director Network Modules (DNMs) are not already installed when you receive the unit, install them by sliding them into the DNM slots in the front panel.
14 *** Condential - DO NOT Distribute *** Director Connect P ower to Director For power fault protection, Director is equipped with redundant power connections. If one power source becomes unavailable due to an interruption in AC power or failure of the power brick, the other power source keeps Director operating normally .
15 *** Condential - DO NOT Distribute *** Director Launch terminal emulation software and set communication parameters to: 2. 1 15200 baud 8 data bits No parity 1 stop bit Noowcontrol The Net Optics CLI banner and login prompt are displayed in the T erminal Emulation software.
16 *** Condential - DO NOT Distribute *** Director Enter 4. netoptics as the password. For security , the password is not displayed as you type it. The Director CLI runs and the CLI sign-on banner and login prompt are displayed. login as: customer customer@10.
17 *** Condential - DO NOT Distribute *** Director Congure Dir ector using the CLI Y ou should be logged into the Director CLI. The factory-set default values for Director are: Username: • admin Password: • netoptics IP Address: • 10.60.4.
18 *** Condential - DO NOT Distribute *** Director Assign a New Director IP Ad dress, Netmask, and Gateway IP Address If you are using the local RS-232 serial interface to access the CLI, then you need to congure the IP Address that Compass management software, when available, will use to communicate with Director .
19 *** Condential - DO NOT Distribute *** Director Tip! ___________________________________________________________________________________________________ Y ou can change the modes of multiple ports in a single command by specifying the ports in the portlist.
20 *** Condential - DO NOT Distribute *** Director Using the CLI Help Command T o view CLI help information: Enter 1. Help at the "Net Optics:" prompt.
21 *** Condential - DO NOT Distribute *** Director Using the CLI Command Histor y Buffer Y ou can save a lot of typing by using the command history buf fer maintained by the CLI. The up- and down-arrow keys scroll forward and backward through the history buffer .
22 *** Condential - DO NOT Distribute *** Director Connect Span P or ts to Director T o connect Director to the network using Span ports, be sure that at least one of your DNMs is a Span model. Use ports in that DNM to connect to the network. Span port numbering is shown in the following diagram.
23 *** Condential - DO NOT Distribute *** Director Connect Director W ith In-line Networ k Links T o connect Director to the network using an in-line installation, be sure that at least one of your DNMs is an in-line model.
24 *** Condential - DO NOT Distribute *** Director ww w.netoptics.com ™ Director 1 2 B A 1 6 2 7 3 8 5 10 4 9 A B In-Line 10/100/1000 10 100 1000 LINK ACT In-Line GigaBit 123456789 10 11 12 A B A.
25 *** Condential - DO NOT Distribute *** Director Chapter 3 Conguring Filter s Using the CLI This chapter describes how to use the CLI to determine which monitoring tools are connected to which Network ports.
26 *** Condential - DO NOT Distribute *** Director When you dene a lter , you specify and action to be taken when the lter conditions are met. The action can be either drop or r edir (meaning redirect). If the action is drop , then packets which meet the lter criteria are dropped, that is, they are not copied to any Monitor port.
27 *** Condential - DO NOT Distribute *** Director Network Port 1 Network Port 2 Monitor Port 3 + lter add in_ports=n1.1,n1.2 action=redir redir_por ts=m.
28 *** Condential - DO NOT Distribute *** Director Create Filter s Filters process a trafc stream by selecting packets based on criteria in the packet header . A lter is dened using a lteradd command, which also species the Network ports and Monitor ports the lters apply to.
29 *** Condential - DO NOT Distribute *** Director ip_dst IP destination address • ip_dst_mask IP source address mask • ip_proto IP protocol • l4_src_port Layer 4 source port • l4_dst_port .
30 *** Condential - DO NOT Distribute *** Director Monitor Port 1 Network Port 5 lter add in_ports=n1.5 ip_proto=6 action=redir redir_ports=m.1 lter add in_ports=n1.
31 *** Condential - DO NOT Distribute *** Director W or k with congur able 10 Giga bit por ts The two congurable 10 Gigabit XFP ports on the front panel are designated t.1 (on the left) and t.2 (on the right). They can be used in network port lists and monitor port lists.
32 *** Condential - DO NOT Distribute *** Director lter add in_ports=n1.11 action=redir redir_por ts=t.2 lter add in_ports=n1.1-n1.4 action=redir redir_por ts=t.
33 *** Condential - DO NOT Distribute *** Director Under stand lter interactions It is important to understand that Director uses Content Addressable Memory (CAM) technology to implement lters. As each lter is dened, it is stored in the next available entry in the CAM.
34 *** Condential - DO NOT Distribute *** Director Have we achieved our goal of sending all the TCP trafc to Monitor Port 2? Not quite. What happens when an TCP packet arrives from 192.186.10.0? It matches the lter at CAM address 1, so it is copied to Monitor Port 1.
35 *** Condential - DO NOT Distribute *** Director Note: __________________________________________________________________________________________________ Instead of lteradd , you can use a lter ins command to dene lters.
36 *** Condential - DO NOT Distribute *** Director Under stand pending and activ e lter s T o understand the actions of lter commands such as ltercommit,lterdiscard, and lter delete, it is helpful to visualize the pending lter list and the CAM that holds the active lters.
37 *** Condential - DO NOT Distribute *** Director Pending lter list Address Filter 1 n1.1 ip_proto=UDP action=drop 2 n1.1 m.1 CAM Address Filter 1 n1.1 ip_proto=UDP action=drop 2 n1.1 m.1 After lter sync Figure 41: Use 3. lter add,lterins, and lter del commands to change lters as desired.
38 *** Condential - DO NOT Distribute *** Director Be aware of these similar pairs of commands: lterdiscard • clears the pending lter list, while lterclear clears the CAM lte.
39 *** Condential - DO NOT Distribute *** Director Chapter 4 Daisy-c haining Multiple Dir ector Chassis This chapter describes how to expand the capacity of Director by daisy-chaining multiple Director chassis. The complete set of chassis becomes a single logical system with up to 380 total ports.
40 *** Condential - DO NOT Distribute *** Director A ppendix A Dir ector Specica tions Specications, c hassis Mechanical Dimensions: 1.6” high x 15.
41 *** Condential - DO NOT Distribute *** Director Specications, DNM Copper Interface (12) RJ45 Network Ports 10/100/1000Mbps (6) In-line links or (12) Span ports depending on model 22-24 A WG u.
42 *** Condential - DO NOT Distribute *** Director A ppendix B Command Line Interface Tip! ___________________________________________________________________________________________________ The command line interface (CLI) is not case sensitive.
43 *** Condential - DO NOT Distribute *** Director Command Sub-Command Parameters Example and description lter add ipv6=< y | n > in_ports=<network_portlist>* <qual>=<value&.
44 *** Condential - DO NOT Distribute *** Director Command Sub-Command Parameters Example and description lter (continued) list ipv6=< y | n > lter list Parameters: ipv6=y for IPv6 addr.
45 *** Condential - DO NOT Distribute *** Director Command Sub-Command Parameters Example and description passwd passwd Interactively changes the password of the SSH user account ping <address>* ping 10.
46 *** Condential - DO NOT Distribute *** Director Command Sub-Command Parameters Example and description sysip commit sysip commit Activates pending changes dened with sysip set set ipaddr=<address> netmask=<netmask> gw=<gateway> sysip ipaddr=192.
47 *** Condential - DO NOT Distribute *** Director Command Sub-Command Parameters Example and description user This command is only available at root level show user show Lists all the currently de.
48 *** Condential - DO NOT Distribute *** Director Filter parameter s Switches and lters are dened using the lteradd and lter ins commands.
49 *** Condential - DO NOT Distribute *** Director A ppendix C Pr otocol Number s The ofcial Assigned Internet Protocol Numbers list is maintained by the Internet Assigned Numbers Authority and can be found at http://www .iana.org/assignments/protocol-number s.
50 *** Condential - DO NOT Distribute *** Director Num Keyword Protocol 55 MOBILE IP Mobility 56 TLSP Transport Layer Security Protocol using Kryptonet key management 57 SKIP SKIP 58 IPv6- ICMP ICM.
51 *** Condential - DO NOT Distribute *** Director Num Keyword Protocol 1 15 L2TP Layer T wo T unneling Protocol 1 16 DDX D-II Data Exchange (DDX) 1 17 IA TP Interactive Agent T ransfer Protocol 1 .
52 *** Condential - DO NOT Distribute *** Director Limitations on W ar ranty and Liability Net Optics of fers a limited warranty for all its products.
© 2008 by Net Optics, Inc. All Rights Reserved. www .netoptics.com.
Un point important après l'achat de l'appareil (ou même avant l'achat) est de lire le manuel d'utilisation. Nous devons le faire pour quelques raisons simples:
Si vous n'avez pas encore acheté Net Optics none c'est un bon moment pour vous familiariser avec les données de base sur le produit. Consulter d'abord les pages initiales du manuel d'utilisation, que vous trouverez ci-dessus. Vous devriez y trouver les données techniques les plus importants du Net Optics none - de cette manière, vous pouvez vérifier si l'équipement répond à vos besoins. Explorant les pages suivantes du manuel d'utilisation Net Optics none, vous apprendrez toutes les caractéristiques du produit et des informations sur son fonctionnement. Les informations sur le Net Optics none va certainement vous aider à prendre une décision concernant l'achat.
Dans une situation où vous avez déjà le Net Optics none, mais vous avez pas encore lu le manuel d'utilisation, vous devez le faire pour les raisons décrites ci-dessus,. Vous saurez alors si vous avez correctement utilisé les fonctions disponibles, et si vous avez commis des erreurs qui peuvent réduire la durée de vie du Net Optics none.
Cependant, l'un des rôles les plus importants pour l'utilisateur joués par les manuels d'utilisateur est d'aider à résoudre les problèmes concernant le Net Optics none. Presque toujours, vous y trouverez Troubleshooting, soit les pannes et les défaillances les plus fréquentes de l'apparei Net Optics none ainsi que les instructions sur la façon de les résoudre. Même si vous ne parvenez pas à résoudre le problème, le manuel d‘utilisation va vous montrer le chemin d'une nouvelle procédure – le contact avec le centre de service à la clientèle ou le service le plus proche.